<!DOCTYPE html>
<html lang=zh>
<head>
    <!-- so meta -->
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="HandheldFriendly" content="True">
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
    <meta property="og:type" content="article">
<meta property="og:title" content="[漏洞挖掘]浅谈信息收集">
<meta property="og:url" content="https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/index.html">
<meta property="og:site_name" content="TonyD0g">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2022-01-07T07:23:16.000Z">
<meta property="article:modified_time" content="2023-07-20T07:35:40.041Z">
<meta property="article:author" content="TonyD0g">
<meta name="twitter:card" content="summary">
    
    
        
          
              <link rel="shortcut icon" href="/images/favicon.ico">
          
        
        
          
            <link rel="icon" type="image/png" href="/images/favicon-192x192.png" sizes="192x192">
          
        
        
          
            <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon.png">
          
        
    
    <!-- title -->
    <title>[漏洞挖掘]浅谈信息收集</title>
    <!-- styles -->
    
<link rel="stylesheet" href="/css/style.css">

    <!-- persian styles -->
    
      
<link rel="stylesheet" href="/css/rtl.css">

    
    <!-- rss -->
    
    
<meta name="generator" content="Hexo 4.2.1"></head>

<body class="max-width mx-auto px3 ltr">
    
      <div id="header-post">
  <a id="menu-icon" href="#"><i class="fas fa-bars fa-lg"></i></a>
  <a id="menu-icon-tablet" href="#"><i class="fas fa-bars fa-lg"></i></a>
  <a id="top-icon-tablet" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');" style="display:none;"><i class="fas fa-chevron-up fa-lg"></i></a>
  <span id="menu">
    <span id="nav">
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </span>
    <br/>
    <span id="actions">
      <ul>
        
        <li><a class="icon" href="/2022/01/17/WAF%E7%BB%95%E8%BF%87XSS%E7%AF%87/"><i class="fas fa-chevron-left" aria-hidden="true" onmouseover="$('#i-prev').toggle();" onmouseout="$('#i-prev').toggle();"></i></a></li>
        
        
        <li><a class="icon" href="/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/"><i class="fas fa-chevron-right" aria-hidden="true" onmouseover="$('#i-next').toggle();" onmouseout="$('#i-next').toggle();"></i></a></li>
        
        <li><a class="icon" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');"><i class="fas fa-chevron-up" aria-hidden="true" onmouseover="$('#i-top').toggle();" onmouseout="$('#i-top').toggle();"></i></a></li>
        <li><a class="icon" href="#"><i class="fas fa-share-alt" aria-hidden="true" onmouseover="$('#i-share').toggle();" onmouseout="$('#i-share').toggle();" onclick="$('#share').toggle();return false;"></i></a></li>
      </ul>
      <span id="i-prev" class="info" style="display:none;">上一篇</span>
      <span id="i-next" class="info" style="display:none;">下一篇</span>
      <span id="i-top" class="info" style="display:none;">返回顶部</span>
      <span id="i-share" class="info" style="display:none;">分享文章</span>
    </span>
    <br/>
    <div id="share" style="display: none">
      <ul>
  <li><a class="icon" href="http://www.facebook.com/sharer.php?u=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/" target="_blank" rel="noopener"><i class="fab fa-facebook " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://twitter.com/share?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&text=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-twitter " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.linkedin.com/shareArticle?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&title=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-linkedin " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://pinterest.com/pin/create/bookmarklet/?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&is_video=false&description=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-pinterest " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="mailto:?subject=[漏洞挖掘]浅谈信息收集&body=Check out this article: https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/"><i class="fas fa-envelope " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://getpocket.com/save?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&title=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-get-pocket " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://reddit.com/submit?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&title=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-reddit " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.stumbleupon.com/submit?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&title=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-stumbleupon " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://digg.com/submit?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&title=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-digg " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.tumblr.com/share/link?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&name=[漏洞挖掘]浅谈信息收集&description=&lt;font size=4 &gt;" target="_blank" rel="noopener"><i class="fab fa-tumblr " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://news.ycombinator.com/submitlink?u=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&t=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-hacker-news " aria-hidden="true"></i></a></li>
</ul>

    </div>
    <div id="toc">
      <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#子域名信息收集"><span class="toc-number">1.</span> <span class="toc-text">子域名信息收集</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#IP段信息收集"><span class="toc-number">2.</span> <span class="toc-text">IP段信息收集</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#C段查询，旁站查询"><span class="toc-number">3.</span> <span class="toc-text">C段查询，旁站查询</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#企业信息收集"><span class="toc-number">4.</span> <span class="toc-text">企业信息收集</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#微信小程序信息收集姿势"><span class="toc-number">5.</span> <span class="toc-text">微信小程序信息收集姿势</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#空间搜索引擎"><span class="toc-number">6.</span> <span class="toc-text">空间搜索引擎</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Google-hacking语法扩展"><span class="toc-number">7.</span> <span class="toc-text">Google hacking语法扩展</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#备案号查询"><span class="toc-number">8.</span> <span class="toc-text">备案号查询</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#敏感信息收集"><span class="toc-number">9.</span> <span class="toc-text">敏感信息收集</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#指纹收集"><span class="toc-number">10.</span> <span class="toc-text">指纹收集</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#邮箱查询地址（在线）用于社工及字典制作"><span class="toc-number">11.</span> <span class="toc-text">邮箱查询地址（在线）用于社工及字典制作</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#路径扫描工具"><span class="toc-number">12.</span> <span class="toc-text">路径扫描工具</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#端口信息收集"><span class="toc-number">13.</span> <span class="toc-text">端口信息收集</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#端口扫描"><span class="toc-number">14.</span> <span class="toc-text">端口扫描</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#利用nmap快速捡洞和检洞"><span class="toc-number">15.</span> <span class="toc-text">利用nmap快速捡洞和检洞</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#状态码浅析"><span class="toc-number">16.</span> <span class="toc-text">状态码浅析</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#资产监控及分析"><span class="toc-number">17.</span> <span class="toc-text">资产监控及分析</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#漏洞库"><span class="toc-number">18.</span> <span class="toc-text">漏洞库</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#各行业常见漏洞列表"><span class="toc-number">19.</span> <span class="toc-text">各行业常见漏洞列表</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#学习来源"><span class="toc-number">20.</span> <span class="toc-text">学习来源:</span></a></li></ol>
    </div>
  </span>
</div>

    
    <div class="content index py4">
        
        <article class="post" itemscope itemtype="http://schema.org/BlogPosting">
  <header>
    
    <h1 class="posttitle" itemprop="name headline">
        [漏洞挖掘]浅谈信息收集
    </h1>



    <div class="meta">
      <span class="author" itemprop="author" itemscope itemtype="http://schema.org/Person">
        <span itemprop="name">TonyD0g</span>
      </span>
      
    <div class="postdate">
      
        <time datetime="2022-01-07T07:23:16.000Z" itemprop="datePublished">2022-01-07</time>
        
        (Updated: <time datetime="2023-07-20T07:35:40.041Z" itemprop="dateModified">2023-07-20</time>)
        
      
    </div>


      

      

    </div>
  </header>
  

  <div class="content" itemprop="articleBody">
    <font size=4 >

<span id="more"></span>

<p>按顺序收集一波估计也差不多了。</p>
<h2 id="子域名信息收集"><a href="#子域名信息收集" class="headerlink" title="子域名信息收集"></a>子域名信息收集</h2><ul>
<li><p><strong>在线网站</strong>:</p>
<p><a href="http://whatweb.bugscaner.com/look/" target="_blank" rel="noopener">http://whatweb.bugscaner.com/look/</a></p>
<p><a href="https://phpinfo.me/domain" target="_blank" rel="noopener">https://phpinfo.me/domain</a></p>
<p><a href="https://www.virustotal.com/gui/home/search" target="_blank" rel="noopener">https://www.virustotal.com/gui/home/search</a></p>
<p><a href="http://z.zcjun.com/" target="_blank" rel="noopener">http://z.zcjun.com/</a></p>
<p><a href="http://scan.javasec.cn/" target="_blank" rel="noopener">http://scan.javasec.cn/</a></p>
<p><a href="https://hunter.qianxin.com/" target="_blank" rel="noopener">https://hunter.qianxin.com/</a></p>
</li>
<li><p><strong>whois查询</strong>:<br><a href="https://www.aizhan.com/" target="_blank" rel="noopener">https://www.aizhan.com/</a></p>
<p><a href="https://tool.chinaz.com/" target="_blank" rel="noopener">https://tool.chinaz.com/</a></p>
</li>
<li><p><strong>IP反查域名</strong><br><a href="https://site.ip138.com/XXX.XXX.XXX.XXX/" target="_blank" rel="noopener">https://site.ip138.com/XXX.XXX.XXX.XXX/</a></p>
</li>
</ul>
<p>用途:<br>利用以上收集到的邮箱、QQ、电话号码、姓名、以及域名服务商可以用来社工客<br>户或者渗透域服务商，拿下域管理控制台，然后做域劫持；通过收集到邮箱，可<br>以在社工库查找到是否有出现泄漏密码以及通过搜索引擎搜索到社交账号等信<br>息,通过社交和社工得到的信息构造成密码字典，然后对 mail 和 oa 进行爆破<br>或者撞裤</p>
<ul>
<li><p><strong>暴力枚举</strong>:<br>Layer子域名挖掘机 , subdomainsBurte 等工具</p>
</li>
<li><p><strong>SSL证书查询</strong>:<br>censys.io<br>crt.sh<br>dnsdumpster.com</p>
</li>
<li><p><strong>证书泄密</strong>:<br>火狐浏览器,访问一个https的链接可能会弹出一个警告窗: “警告:面临潜在的安全风险”<br>点击 高级选项 即可查看详情.</p>
</li>
<li><p><strong>第三方查询</strong>:<br>shodan<br>fofa</p>
</li>
</ul>
<h2 id="IP段信息收集"><a href="#IP段信息收集" class="headerlink" title="IP段信息收集"></a>IP段信息收集</h2><p><strong>绕过CDN</strong>:</p>
<p><a href="https://fofa.info/" target="_blank" rel="noopener">FOFA</a><br><a href="https://hunter.qianxin.com/" target="_blank" rel="noopener">全球鹰</a><br><a href="https://quake.360.cn/" target="_blank" rel="noopener">360Quake</a><br><a href="https://www.zoomeye.org/" target="_blank" rel="noopener">钟馗之眼</a><br><a href="https://www.censys.io/" target="_blank" rel="noopener">censys</a><br><a href="https://www.shodan.io/" target="_blank" rel="noopener">shodan</a><br><a href="https://www.dnsdb.io/zh-cn" target="_blank" rel="noopener">全球DNS搜索引擎</a><br><a href="http://lookahead.surfwax.com/" target="_blank" rel="noopener">Surfwax元搜索</a><br><a href="https://archive.org/web/" target="_blank" rel="noopener">Way Back Machine(搜索网站过去的样子)</a><br><a href="https://scholar.google.com.ph/" target="_blank" rel="noopener">Google学术</a></p>
<h2 id="C段查询，旁站查询"><a href="#C段查询，旁站查询" class="headerlink" title="C段查询，旁站查询"></a>C段查询，旁站查询</h2><p><a href="http://s.tool.chinaz.com/same" target="_blank" rel="noopener">http://s.tool.chinaz.com/same</a><br><a href="http://www.webscan.cc/" target="_blank" rel="noopener">http://www.webscan.cc</a><br>FOFA语法：ip&#x3D;”192.168.X.X&#x2F;24”</p>
<h2 id="企业信息收集"><a href="#企业信息收集" class="headerlink" title="企业信息收集"></a>企业信息收集</h2><p><a href="https://www.tianyancha.com/" target="_blank" rel="noopener">天眼查</a></p>
<p><a href="https://www.qcc.com/" target="_blank" rel="noopener">企查查</a></p>
<p><a href="https://aiqicha.baidu.com/?from=pz" target="_blank" rel="noopener">爱企查</a><br><a href="https://github.com/wgpsec/ENScan">爱企查信息收集脚本</a></p>
<h2 id="微信小程序信息收集姿势"><a href="#微信小程序信息收集姿势" class="headerlink" title="微信小程序信息收集姿势"></a>微信小程序信息收集姿势</h2><p>(1)微信小程序搜索：公司名称、系统名称、系统相关、遍历与公司或系统相关的字样进行搜索<br><a href="https://weixin.sogou.com/" target="_blank" rel="noopener">微信公众号</a></p>
<p>(2)<a href="https://www.xiaolanben.com/" target="_blank" rel="noopener">小蓝本</a></p>
<p>(3)<a href="https://www.jzl.com/" target="_blank" rel="noopener">极致了</a></p>
<p>(4)<a href="http://data.xiguaji.com/" target="_blank" rel="noopener">西瓜数据</a></p>
<p>(5)APP资产：<br><a href="https://app.diandian.com/" target="_blank" rel="noopener">点点</a><br><a href="https://www.qimai.cn/" target="_blank" rel="noopener">七麦</a></p>
<h2 id="空间搜索引擎"><a href="#空间搜索引擎" class="headerlink" title="空间搜索引擎"></a>空间搜索引擎</h2><p><a href="https://fofa.info/" target="_blank" rel="noopener">fofa</a></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">语法举例:</span><br><span class="line">country=&quot;CN&quot; 搜索中国的资产</span><br><span class="line"></span><br><span class="line">region=&quot;Zhejiang&quot; 搜索指定行政区的资产</span><br><span class="line"></span><br><span class="line">city=&quot;Hangzhou&quot; 搜索指定城市的ip资产</span><br><span class="line"></span><br><span class="line">title=&quot;abc&quot; 从标题中搜索abc</span><br><span class="line"></span><br><span class="line">查询条件连接：&amp;&amp;</span><br><span class="line"></span><br><span class="line">eg:</span><br><span class="line"></span><br><span class="line">查询所属城市为杭州、标题为后台登录的页面</span><br><span class="line"></span><br><span class="line">city=&quot;Hangzhou&quot;&amp;&amp;title=&quot;后台登录&quot;</span><br></pre></td></tr></table></figure>

<h2 id="Google-hacking语法扩展"><a href="#Google-hacking语法扩展" class="headerlink" title="Google hacking语法扩展"></a>Google hacking语法扩展</h2><p><strong>site , filetype , inurl , intitle , intext , 符号</strong></p>
<p><strong>site:</strong></p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">功能： 搜索指定的域名的网页内容，可以用来搜索子域名、跟此域名相关的内容。</span><br><span class="line">示例：</span><br><span class="line">site:zhihu.com 搜索跟zhihu.com相关的网页</span><br><span class="line">&quot;web安全&quot; site:zhihu.com 搜索zhihu.com跟web安全相关的网页</span><br><span class="line">&quot;sql注入&quot; site:csdn.net 在csdn.net搜索跟sql注入相关的内容</span><br><span class="line">&quot;教程&quot; site:pan.baidu.com 在百度盘中搜索教程</span><br></pre></td></tr></table></figure>

<p><strong>filetype:</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">功能： 搜索指定文件类型</span><br><span class="line">示例：</span><br><span class="line">&quot;web安全&quot; filetype:pdf 搜索跟安全书籍相关的pdf文件</span><br><span class="line">nmap filetype:ppt 搜索跟nmap相关的ppt文件</span><br><span class="line">site:csdn.net filetype:pdf 搜索csdn网站中的pdf文件</span><br><span class="line">filetype:pdf site:www.51cto.com 搜索51cto的pdf文件</span><br></pre></td></tr></table></figure>

<p> <strong>inurl:</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">功能： 搜索url网址存在特定关键字的网页，可以用来搜寻有注入点的网站</span><br><span class="line">示例：</span><br><span class="line">inurl:.php?id= 搜索网址中有&quot;php?id&quot;的网页</span><br><span class="line">inurl:view.php=? 搜索网址中有&quot;view.php=&quot;的网页</span><br><span class="line">inurl:.jsp?id= 搜索网址中有&quot;jsp?id&quot;的网页</span><br><span class="line">inurl:.asp?id= 搜索网址中有&quot;asp?id&quot;的网页</span><br><span class="line">inurl: /admin/login.php 搜索网址中有&quot;/admin/login.php&quot;的网页</span><br><span class="line">inurl:login 搜索网址中有&quot;login&quot;等登录网页</span><br></pre></td></tr></table></figure>

<p>** intitle:**</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">功能： 搜索标题存在特定关键字的网页</span><br><span class="line">示例：</span><br><span class="line">intitle:后台登录 搜索网页标题是“后台登录”的相关网页</span><br><span class="line">intitle:后台管理 filetype:php 搜索网页标题是“后台管理”的php页面</span><br><span class="line">intitle:index of &quot;keyword&quot; 搜索此关键字相关的索引目录信息</span><br><span class="line">intitle:index of &quot;parent directory&quot; 搜索根目录相关的索引目录信息</span><br><span class="line">intitle:index of &quot;password&quot; 搜索密码相关的索引目录信息</span><br><span class="line">intitle:index of &quot;login&quot; 搜索登录页面信息</span><br><span class="line">intitle:index of &quot;admin&quot; 搜索后台管理页面信息</span><br></pre></td></tr></table></figure>

<p>** intext:**</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">功能： 搜索正文存在特定关键字的网页</span><br><span class="line">示例：</span><br><span class="line">intext:Powered by Discuz 搜索Discuz论坛相关的页面</span><br><span class="line">intext:powered by wordpress 搜索wordpress制作的博客网址</span><br><span class="line">intext:Powered by *CMS 搜索*CMS相关的页面</span><br><span class="line">intext:powered by xxx inurl:login 搜索此类网址的后台登录页面</span><br></pre></td></tr></table></figure>

<p><strong>符号:</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">-keyword 强制结果不要出现此关键字,例如：电影 -黑客</span><br><span class="line">*keyword 模糊搜索，强制结果包含此关键字,例如：电影 一个叫*决定*</span><br><span class="line">&quot;keyword&quot; 强制搜索结果出现此关键字,例如：书籍 &quot;web安全&quot;</span><br></pre></td></tr></table></figure>

<p>** 示例:**</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br></pre></td><td class="code"><pre><span class="line">site:huoxian.cn intext:&quot;忘记密码&quot;</span><br><span class="line"></span><br><span class="line">site:huoxian.cn intext:&quot;工号&quot;</span><br><span class="line"></span><br><span class="line">site:huoxian.cn intext:&quot;优秀员工&quot;</span><br><span class="line"></span><br><span class="line">site:huoxian.cn intext:&quot;身份证号码&quot;</span><br><span class="line"></span><br><span class="line">site:huoxian.cn intext:&quot;手机号&quot;</span><br><span class="line"></span><br><span class="line">site:huoxian.cn intext:&quot;手册&quot;</span><br><span class="line"></span><br><span class="line">site:huoxian.cn intext:&quot;文档&quot;</span><br><span class="line"></span><br><span class="line">site:huoxian.cn inurl:token （带token的也许可以未授权进入系统）</span><br><span class="line">可以扩散思维找一些cookie、session、jsession、userid、passwd</span><br><span class="line"></span><br><span class="line">分析身份证的构成，身份证是前六位是区域行政编码：</span><br><span class="line">site:edu.cn &quot;450000&quot; +sfz</span><br><span class="line"></span><br><span class="line">报告类的</span><br><span class="line">site:edu.cn &quot;审计报告&quot; &quot;SFZH&quot; filetype:pdf </span><br><span class="line">site:edu.cn&quot;财务报告&quot; &quot;SFZH&quot; filetype:pdf </span><br><span class="line"></span><br><span class="line">奖金类的:</span><br><span class="line">site:edu.cn &quot;科技奖&quot; &quot;SFZH&quot;  filetype:pdf</span><br><span class="line">site:edu.cn &quot;专利发明&quot; &quot;SFZH&quot;  filetype:pdf</span><br><span class="line"></span><br><span class="line">证书类的:</span><br><span class="line">site:edu.cn &quot;营业执照&quot; &quot;SFZH&quot; filetype:pdf</span><br><span class="line">site:edu.cn &quot;职称证&quot; &quot;SFZH&quot; filetype:pdf</span><br><span class="line"></span><br><span class="line">个人类：</span><br><span class="line">site:edu.cn  &quot;年月.*&quot; &quot;聘任时间&quot; &quot;SFZH&quot;  filetype:pdf  -学号 -准考证</span><br><span class="line">site:edu.cn  &quot;破格*&quot; &quot;SFZH&quot;  filetype:pdf   -学号 -准考证 </span><br><span class="line">site:edu.cn  &quot;汉*&quot;  &quot;SFZH&quot; filetype:pdf   -学号 -准考证</span><br><span class="line"></span><br><span class="line">合同类：</span><br><span class="line">site:edu.cn   &quot;同意推荐其参评*&quot;  filetype:pdf +SFZH -学号 -准考证 </span><br><span class="line">site:edu.cn   &quot;*出版合同&quot;  filetype:pdf +SFZH -学号 -准考证 </span><br><span class="line">site:edu.cn   &quot;甲方代表*&quot;   filetype:pdf +SFZH -学号 -准考证</span><br><span class="line">site:edu.cn   &quot;甲方代表人&quot;   filetype:pdf +SFZH -学号 -准考证 </span><br><span class="line">site:edu.cn &quot;甲方聘请乙方&quot; filetype:pdf +SFZH -学号 -准考证</span><br><span class="line">site:edu.cn &quot;甲方的权利和义务&quot; filetype:pdf +SFZH -学号 -准考证</span><br><span class="line"></span><br><span class="line">总之多扩展，一些关键字:</span><br><span class="line">国家学生体质健康标准数据录入说明</span><br><span class="line">毕业生邮寄</span><br><span class="line">档案邮寄</span><br><span class="line">门 禁 管 理 系 统 录 入 申 请 表</span><br><span class="line">团员信息名单</span><br><span class="line">四六级报名</span><br><span class="line">奖学金</span><br><span class="line">新生信息</span><br><span class="line">缴费人员</span><br><span class="line">Untitled</span><br><span class="line">代理人</span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">关键字获取：</span><br><span class="line">输入一份文件的一个字或两个字作为探针。</span><br><span class="line">留意返回页面的title，这种就是关键字。</span><br><span class="line">可以根据此方法不断修正关键字。</span><br></pre></td></tr></table></figure>

<h2 id="备案号查询"><a href="#备案号查询" class="headerlink" title="备案号查询"></a>备案号查询</h2><p>备案号是网站是否合法注册经营的标志，可随时到国家工业和信息化部网站备案系统上查询该ICP备案的相关详细信息。<br><strong>网站</strong>：<br><a href="http://www.beianbeian.com/" target="_blank" rel="noopener">www.beianbeian.com</a></p>
<h2 id="敏感信息收集"><a href="#敏感信息收集" class="headerlink" title="敏感信息收集"></a>敏感信息收集</h2><p>github,gitee,coding,gitlab 语法信息收集：edu.cn password</p>
<p>github 源 代 码 信 息 泄 露 收集（ Github_Nuggests ， GitHack ，GitPrey-master 以及 GitHarvester，gitscan，github 语法信息收集）</p>
<p>svn 信息泄漏收集（svn_git_scanner，seekret（目录信息搜索），Seay SVN 漏洞利用工具）</p>
<p>DS_Store 泄露（ds_store_exp）。</p>
<p>批量信息泄露扫描：bbscan（可以用小字典快速扫描网站的泄露和它的旁站网段<br>的所有信息泄露）。</p>
<p>hg 源码泄漏：dvcs-ripper-master。</p>
<p>Metagoofil 收集敏感的文档文件</p>
<h2 id="指纹收集"><a href="#指纹收集" class="headerlink" title="指纹收集"></a>指纹收集</h2><p>第三方收集:<br><a href="http://www.yunsee.cn/" target="_blank" rel="noopener">www.yunsee.cn</a></p>
<p>浏览器插件妙用:<br>Wappalyzer</p>
<h2 id="邮箱查询地址（在线）用于社工及字典制作"><a href="#邮箱查询地址（在线）用于社工及字典制作" class="headerlink" title="邮箱查询地址（在线）用于社工及字典制作"></a>邮箱查询地址（在线）用于社工及字典制作</h2><p><a href="https://phonebook.cz/" target="_blank" rel="noopener">https://phonebook.cz</a></p>
<p><a href="https://hunter.io/" target="_blank" rel="noopener">https://hunter.io</a></p>
<p><a href="http://www.skymem.info/" target="_blank" rel="noopener">http://www.skymem.info</a></p>
<p><a href="https://www.email-format.com/i/search" target="_blank" rel="noopener">https://www.email-format.com/i/search</a></p>
<h2 id="路径扫描工具"><a href="#路径扫描工具" class="headerlink" title="路径扫描工具"></a>路径扫描工具</h2><p><a href="https://github.com/Mosuan/FileScan">文件扫描工具</a></p>
<p><a href="https://github.com/H4ckForJob/dirmap">DirMap</a>  </p>
<p><a href="https://github.com/foryujian/yjdirscan/releases/tag/yjdirscan">御剑</a>    </p>
<h2 id="端口信息收集"><a href="#端口信息收集" class="headerlink" title="端口信息收集"></a>端口信息收集</h2><p><a href="https://github.com/robertdavidgraham/masscan">masscan</a><br>缺点：很吃带宽</p>
<p><a href="https://github.com/wk0ng/port">御剑高速端口扫描工具</a></p>
<h2 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line">21 ftp          </span><br><span class="line">22 SSH</span><br><span class="line">23 Telnet</span><br><span class="line">80 web</span><br><span class="line">80-89 web</span><br><span class="line">161 SNMP</span><br><span class="line">389 LDAP</span><br><span class="line">443 SSL心脏滴血445 SMB</span><br><span class="line">512,513,514 Rexec</span><br><span class="line">873 Rsync未授权</span><br><span class="line">1025,111 NFS</span><br><span class="line">1433 MSSQL</span><br><span class="line">1521 Oracle:(iSqlPlus Port:5560,7778)</span><br><span class="line">2601,2604 zebra路由，默认密码zebra</span><br><span class="line">3306 MySQL</span><br><span class="line">3312/3311 kangle主机管理系统登陆</span><br><span class="line">3389 远程桌面</span><br><span class="line">4440 rundeck</span><br><span class="line">5432 PostgreSQL</span><br><span class="line">5984 CouchDB http://xxx:5984/_utils/</span><br><span class="line">6082 varnish</span><br><span class="line">6379 redis未授权</span><br><span class="line">7001,7002 WebLogic默认弱口令，反序列</span><br><span class="line">7778 Kloxo主机控制面板登录</span><br><span class="line">8000-9090 都是一些常见的web端口，有些运维喜欢把管理后台开在这些非80的端口上</span><br><span class="line">7001,7002 WebLogic默认弱口令，反序列</span><br><span class="line">7778 Kloxo主机控制面板登录</span><br><span class="line">8080 tomcat/WDCP主机管理系统，默认弱口令</span><br><span class="line">8080,8089,9090 JBOSS</span><br><span class="line">8161 activemq未授权访问默认用户名和密码是admin</span><br><span class="line">8888 amh/LuManager 主机管理系统默认端口</span><br><span class="line">9200,9300 elasticsearch</span><br><span class="line">10000 Virtualmin/Webmin 服务器虚拟主机管理系统</span><br><span class="line">11211 memcache未授权访问</span><br><span class="line">27017,27018 Mongodb未授权访问</span><br><span class="line">28017 mongodb统计页面</span><br><span class="line">50000 SAP命令执行</span><br><span class="line">50070,50030 hadoop默认端口未授权访问</span><br></pre></td></tr></table></figure>

<h2 id="利用nmap快速捡洞和检洞"><a href="#利用nmap快速捡洞和检洞" class="headerlink" title="利用nmap快速捡洞和检洞"></a>利用nmap快速捡洞和检洞</h2><p>利用nmap五条指令快速捡洞和检洞：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">系统漏洞检测：nmap --script smb-check-vulns.nse -p 192.168.1.1</span><br><span class="line">数据库密码检测：nmap --script=brute 192.168.1.1</span><br><span class="line">收集应用服务信息： nmap -sC 192.168.1.1</span><br><span class="line">检测常见漏洞：nmap --script=vuln 192.168.1.1</span><br><span class="line">检测部分应用的弱口令（负责处理鉴权证书）： nmap --script=auth 192.168.1.1</span><br></pre></td></tr></table></figure>

<h2 id="状态码浅析"><a href="#状态码浅析" class="headerlink" title="状态码浅析"></a>状态码浅析</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">200 OK                  //客户端请求成功，响应主题包含请求的结果</span><br><span class="line">400 Bad Request         //客户端请求有语法错误，不能被服务器所理解，比如url插入无效的字符</span><br><span class="line">401 Unauthorized        //请求未经授权，被允许之前要求进行http身份认证， WWW-Authenticate消息头说明所支持的身份验证类型</span><br><span class="line"> 403 Forbidden          //禁止所有人访问被请求的资源</span><br><span class="line">404 Not Found           //请求资源不存在，eg：输入了错误的 URL </span><br><span class="line">405 Method not allowed  //用了不支持的请求方法 如：put</span><br><span class="line">503 Server Unavailable  //服务器当前不能处理客户端的请求，一段时间后可能恢复正常</span><br></pre></td></tr></table></figure>

<p><strong>百度网盘泄密</strong>:</p>
<p>百度搜  百度网盘搜索引擎 即可</p>
<p>关键字举例:<br>关键字：XXX公司内部资料<br>关键字：XXX网密码</p>
<p><strong>GitHub泄密</strong>:<br><a href="https://github.com/0xbug/Hawkeye">https://github.com/0xbug/Hawkeye</a></p>
<p>监控GitHub的代码库，及时发现员工托管公司代码到GitHub的行为并预警，降低代码泄露风险。</p>
<h2 id="资产监控及分析"><a href="#资产监控及分析" class="headerlink" title="资产监控及分析"></a>资产监控及分析</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">各软件商店（Android、ISO）,开发者选项</span><br><span class="line">第三方平台:     threatbook.cn</span><br><span class="line">自媒体第三方平台</span><br><span class="line">微信小程序</span><br><span class="line">网站产品列表</span><br><span class="line">朋友圈</span><br><span class="line">等</span><br></pre></td></tr></table></figure>

<h2 id="漏洞库"><a href="#漏洞库" class="headerlink" title="漏洞库"></a>漏洞库</h2><p><a href="https://wiki.bylibrary.cn/" target="_blank" rel="noopener">白阁文库</a><br><a href="https://www.yuque.com/peiqiwiki/peiqi-poc-wiki" target="_blank" rel="noopener">佩奇文库</a></p>
<h2 id="各行业常见漏洞列表"><a href="#各行业常见漏洞列表" class="headerlink" title="各行业常见漏洞列表"></a>各行业常见漏洞列表</h2><font size=4 >

<!-- more -->

<p>扩展阅读:<br><a href="https://www.freebuf.com/articles/web/269002.html" target="_blank" rel="noopener">一个“登录框”引发的安全问题</a></p>
<p><strong>1.教育行业:</strong></p>
<table>
<thead>
<tr>
<th>通用业务模块</th>
<th>业务逻辑漏洞</th>
</tr>
</thead>
<tbody><tr>
<td>登录</td>
<td>暴力破解  、 撞库 、验证码爆破和绕过 、账户权限绕过</td>
</tr>
<tr>
<td>注册</td>
<td>存储型xss 、 批量注册  、  任意用户注册</td>
</tr>
<tr>
<td>密码找回</td>
<td>重置任意用户密码、新密码劫持、短信验证码劫持、用户邮箱劫持篡改</td>
</tr>
<tr>
<td>后台管理</td>
<td>管理员用户密码绕过、目录遍历、下载</td>
</tr>
<tr>
<td>评论</td>
<td>POST注入、CSRF、存储型xss、上传漏洞、越权发布</td>
</tr>
<tr>
<td>传输过程</td>
<td>cookie注入、明文传输、cookie劫持</td>
</tr>
<tr>
<td>业务查询</td>
<td>搜索型注入、办理人信息泄露</td>
</tr>
<tr>
<td>业务办理</td>
<td>顶替办理、绕过业务办理流程、篡改其他办理人信息、办理人信息泄露</td>
</tr>
</tbody></table>
<p><strong>2.互联网行业:</strong></p>
<table>
<thead>
<tr>
<th>通用业务模块</th>
<th>业务逻辑漏洞</th>
</tr>
</thead>
<tbody><tr>
<td>登录</td>
<td>暴力破解  、 撞库 、验证码爆破和绕过 、账户权限绕过</td>
</tr>
<tr>
<td>注册</td>
<td>存储型xss 、 批量注册  、  任意用户注册</td>
</tr>
<tr>
<td>密码找回</td>
<td>重置任意用户密码、新密码劫持、短信验证码劫持、用户邮箱劫持篡改</td>
</tr>
<tr>
<td>后台管理</td>
<td>管理员用户密码绕过、目录遍历、下载</td>
</tr>
<tr>
<td>会员系统</td>
<td>用户越权访问、个人资料信息泄露、遍历</td>
</tr>
<tr>
<td>评论</td>
<td>POST注入、CSRF、存储型xss、上传漏洞、越权发布</td>
</tr>
<tr>
<td>传输过程</td>
<td>cookie注入、明文传输、cookie劫持</td>
</tr>
</tbody></table>
<p><strong>3.金融行业:</strong></p>
<table>
<thead>
<tr>
<th>通用业务模块</th>
<th>业务逻辑漏洞</th>
</tr>
</thead>
<tbody><tr>
<td>登录</td>
<td>暴力破解  、 撞库 、验证码爆破和绕过 、账户权限绕过</td>
</tr>
<tr>
<td>注册</td>
<td>存储型xss 、 批量注册  、  任意用户注册</td>
</tr>
<tr>
<td>密码找回</td>
<td>重置任意用户密码、新密码劫持、短信验证码劫持、用户邮箱劫持篡改</td>
</tr>
<tr>
<td>评论</td>
<td>POST注入、CSRF、存储型xss、上传漏洞、越权发布</td>
</tr>
<tr>
<td>会员系统</td>
<td>用户越权访问、个人资料信息泄露&#x2F;遍历</td>
</tr>
<tr>
<td>传输过程</td>
<td>cookie注入、明文传输、cookie劫持</td>
</tr>
<tr>
<td><strong>购买支付</strong></td>
<td>商品金额篡改、商品数量篡改、交易信息泄露</td>
</tr>
<tr>
<td><strong>充值</strong></td>
<td>虚假充值金额、充值数量篡改、篡改充值账户</td>
</tr>
<tr>
<td><strong>抽奖&#x2F;活动</strong></td>
<td>盗取活动奖品、盗刷积分、抽奖作弊</td>
</tr>
<tr>
<td><strong>优惠卷&#x2F;代金卷</strong></td>
<td>批量刷优惠卷&#x2F;代金卷、更改代金卷金额、更改优惠卷数量</td>
</tr>
<tr>
<td><strong>订单</strong></td>
<td>订单信息泄露、用户信息泄露、订单遍历</td>
</tr>
<tr>
<td><strong>账户</strong></td>
<td>账户绕过、账户余额盗取、账户绑定手机号绕过</td>
</tr>
</tbody></table>
<p><strong>4.电商行业:</strong></p>
<table>
<thead>
<tr>
<th>通用业务模块</th>
<th>业务逻辑漏洞</th>
</tr>
</thead>
<tbody><tr>
<td>登录</td>
<td>暴力破解  、 撞库 、验证码爆破和绕过 、账户权限绕过</td>
</tr>
<tr>
<td>注册</td>
<td>存储型xss 、 批量注册  、  任意用户注册</td>
</tr>
<tr>
<td>密码找回</td>
<td>重置任意用户密码、新密码劫持、短信验证码劫持、用户邮箱劫持篡改</td>
</tr>
<tr>
<td>购买支付</td>
<td>商品金额篡改、商品数量篡改、交易信息泄露</td>
</tr>
<tr>
<td>充值</td>
<td>虚假充值金额、充值数量篡改、篡改充值账户</td>
</tr>
<tr>
<td>抽奖&#x2F;活动</td>
<td>盗取活动奖品、盗刷积分、抽奖作弊</td>
</tr>
<tr>
<td>优惠卷&#x2F;代金卷</td>
<td>批量刷优惠卷&#x2F;代金卷、更改代金卷金额、更改优惠卷数量</td>
</tr>
<tr>
<td>订单</td>
<td>订单信息泄露、用户信息泄露、订单遍历</td>
</tr>
<tr>
<td>账户</td>
<td>账户绕过、账户余额盗取、账户绑定手机号绕过</td>
</tr>
<tr>
<td>评论</td>
<td>POST注入、CSRF、存储型xss、上传漏洞、越权发布</td>
</tr>
<tr>
<td>会员系统</td>
<td>用户越权访问、个人资料信息泄露&#x2F;遍历</td>
</tr>
<tr>
<td>传输过程</td>
<td>cookie注入、明文传输、cookie劫持</td>
</tr>
<tr>
<td><strong>抢购活动</strong></td>
<td>低价抢购、抢购作弊、刷单</td>
</tr>
<tr>
<td><strong>运费</strong></td>
<td>运费绕过、运费修改</td>
</tr>
<tr>
<td><strong>第三方商家</strong></td>
<td>盗号、商家信息泄露、商家账户遍历</td>
</tr>
</tbody></table>
<p><strong>5.政务行业</strong></p>
<table>
<thead>
<tr>
<th>通用业务模块</th>
<th>业务逻辑漏洞</th>
</tr>
</thead>
<tbody><tr>
<td>登录</td>
<td>暴力破解  、 撞库 、验证码爆破和绕过 、账户权限绕过</td>
</tr>
<tr>
<td>注册</td>
<td>存储型xss 、 批量注册  、  任意用户注册</td>
</tr>
<tr>
<td>评论</td>
<td>POST注入、CSRF、存储型xss、上传漏洞、越权发布</td>
</tr>
<tr>
<td>传输过程</td>
<td>cookie注入、明文传输、cookie劫持</td>
</tr>
<tr>
<td>密码找回</td>
<td>重置任意用户密码、新密码劫持、短信验证码劫持、用户邮箱劫持篡改</td>
</tr>
<tr>
<td><strong>后台管理</strong></td>
<td>管理员用户密码绕过、目录遍历&#x2F;下载</td>
</tr>
<tr>
<td><strong>业务查询</strong></td>
<td>搜索型注入、办理人信息泄露</td>
</tr>
<tr>
<td><strong>业务办理</strong></td>
<td>顶替办理、绕过业务办理流程、篡改其他办理人信息、办理人信息泄露</td>
</tr>
</tbody></table>
</font>



<h2 id="学习来源"><a href="#学习来源" class="headerlink" title="学习来源:"></a>学习来源:</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">信息收集小tips:</span><br><span class="line">https://www.cnblogs.com/cute-puli/p/15538612.html</span><br><span class="line"></span><br><span class="line">浅谈渗透测试前的信息收集:</span><br><span class="line">磐石计划 - 陈殷</span><br><span class="line"></span><br><span class="line">常见网站漏洞checklist</span><br><span class="line">https://www.hui-blog.cool/posts/97ef.html</span><br></pre></td></tr></table></figure>

 </font>


  </div>
</article>



        
          <div id="footer-post-container">
  <div id="footer-post">

    <div id="nav-footer" style="display: none">
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </div>

    <div id="toc-footer" style="display: none">
      <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#子域名信息收集"><span class="toc-number">1.</span> <span class="toc-text">子域名信息收集</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#IP段信息收集"><span class="toc-number">2.</span> <span class="toc-text">IP段信息收集</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#C段查询，旁站查询"><span class="toc-number">3.</span> <span class="toc-text">C段查询，旁站查询</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#企业信息收集"><span class="toc-number">4.</span> <span class="toc-text">企业信息收集</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#微信小程序信息收集姿势"><span class="toc-number">5.</span> <span class="toc-text">微信小程序信息收集姿势</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#空间搜索引擎"><span class="toc-number">6.</span> <span class="toc-text">空间搜索引擎</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Google-hacking语法扩展"><span class="toc-number">7.</span> <span class="toc-text">Google hacking语法扩展</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#备案号查询"><span class="toc-number">8.</span> <span class="toc-text">备案号查询</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#敏感信息收集"><span class="toc-number">9.</span> <span class="toc-text">敏感信息收集</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#指纹收集"><span class="toc-number">10.</span> <span class="toc-text">指纹收集</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#邮箱查询地址（在线）用于社工及字典制作"><span class="toc-number">11.</span> <span class="toc-text">邮箱查询地址（在线）用于社工及字典制作</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#路径扫描工具"><span class="toc-number">12.</span> <span class="toc-text">路径扫描工具</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#端口信息收集"><span class="toc-number">13.</span> <span class="toc-text">端口信息收集</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#端口扫描"><span class="toc-number">14.</span> <span class="toc-text">端口扫描</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#利用nmap快速捡洞和检洞"><span class="toc-number">15.</span> <span class="toc-text">利用nmap快速捡洞和检洞</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#状态码浅析"><span class="toc-number">16.</span> <span class="toc-text">状态码浅析</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#资产监控及分析"><span class="toc-number">17.</span> <span class="toc-text">资产监控及分析</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#漏洞库"><span class="toc-number">18.</span> <span class="toc-text">漏洞库</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#各行业常见漏洞列表"><span class="toc-number">19.</span> <span class="toc-text">各行业常见漏洞列表</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#学习来源"><span class="toc-number">20.</span> <span class="toc-text">学习来源:</span></a></li></ol>
    </div>

    <div id="share-footer" style="display: none">
      <ul>
  <li><a class="icon" href="http://www.facebook.com/sharer.php?u=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/" target="_blank" rel="noopener"><i class="fab fa-facebook fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://twitter.com/share?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&text=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-twitter fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.linkedin.com/shareArticle?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&title=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-linkedin fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://pinterest.com/pin/create/bookmarklet/?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&is_video=false&description=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-pinterest fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="mailto:?subject=[漏洞挖掘]浅谈信息收集&body=Check out this article: https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/"><i class="fas fa-envelope fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://getpocket.com/save?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&title=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-get-pocket fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://reddit.com/submit?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&title=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-reddit fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.stumbleupon.com/submit?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&title=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-stumbleupon fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://digg.com/submit?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&title=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-digg fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.tumblr.com/share/link?url=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&name=[漏洞挖掘]浅谈信息收集&description=&lt;font size=4 &gt;" target="_blank" rel="noopener"><i class="fab fa-tumblr fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://news.ycombinator.com/submitlink?u=https://github.com/TonyD0g/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/&t=[漏洞挖掘]浅谈信息收集" target="_blank" rel="noopener"><i class="fab fa-hacker-news fa-lg" aria-hidden="true"></i></a></li>
</ul>

    </div>

    <div id="actions-footer">
        <a id="menu" class="icon" href="#" onclick="$('#nav-footer').toggle();return false;"><i class="fas fa-bars fa-lg" aria-hidden="true"></i> 菜单</a>
        <a id="toc" class="icon" href="#" onclick="$('#toc-footer').toggle();return false;"><i class="fas fa-list fa-lg" aria-hidden="true"></i> 目录</a>
        <a id="share" class="icon" href="#" onclick="$('#share-footer').toggle();return false;"><i class="fas fa-share-alt fa-lg" aria-hidden="true"></i> 分享</a>
        <a id="top" style="display:none" class="icon" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');"><i class="fas fa-chevron-up fa-lg" aria-hidden="true"></i> 返回顶部</a>
    </div>

  </div>
</div>

        
        <footer id="footer">
  <div class="footer-left">
    Copyright &copy;
    
    
    2016-2023
    TonyD0g
  </div>
  <div class="footer-right">
    <nav>
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </nav>
  </div>
</footer>

    </div>
    <!-- styles -->

<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">


<link rel="stylesheet" href="/lib/justified-gallery/css/justifiedGallery.min.css">


    <!-- jquery -->

<script src="/lib/jquery/jquery.min.js"></script>


<script src="/lib/justified-gallery/js/jquery.justifiedGallery.min.js"></script>

<!-- clipboard -->

  
<script src="/lib/clipboard/clipboard.min.js"></script>

  <script type="text/javascript">
  $(function() {
    // copy-btn HTML
    var btn = "<span class=\"btn-copy tooltipped tooltipped-sw\" aria-label=\"复制到粘贴板!\">";
    btn += '<i class="far fa-clone"></i>';
    btn += '</span>'; 
    // mount it!
    $(".highlight table").before(btn);
    var clip = new ClipboardJS('.btn-copy', {
      text: function(trigger) {
        return Array.from(trigger.nextElementSibling.querySelectorAll('.code')).reduce((str,it)=>str+it.innerText+'\n','')
      }
    });
    clip.on('success', function(e) {
      e.trigger.setAttribute('aria-label', "复制成功!");
      e.clearSelection();
    })
  })
  </script>


<script src="/js/main.js"></script>

<!-- search -->

<!-- Google Analytics -->

    <script type="text/javascript">
        (function(i,s,o,g,r,a,m) {i['GoogleAnalyticsObject']=r;i[r]=i[r]||function() {
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
        ga('create', 'UA-84578611-1', 'auto');
        ga('send', 'pageview');
    </script>

<!-- Baidu Analytics -->

    <script type="text/javascript">
        var _hmt = _hmt || [];
        (function() {
            var hm = document.createElement("script");
            hm.src = "https://hm.baidu.com/hm.js?2e6da3c375c789455b664cea6d4cb29c";
            var s = document.getElementsByTagName("script")[0];
            s.parentNode.insertBefore(hm, s);
        })();
    </script>

<!-- Disqus Comments -->


</body>
</html>
